Do not follow the crowd...Though more and more companies are showing an interest in risk management, it is intereting to note that most still manage risk on an ad hoc basis. Yes, some companies look at risk management from an ERM approach- or Enterprise Risk Managment approach. Or, as I have in the past discussed, a coordinated Legal Risk Management approach. However, looking at risk management as a whole, it appears that most companies fail to coordinate risk management processes throughout the organization, leaving it up to each department or division to enact their own risk management processes and procedures, independent from the organization as a whole. If your organization handles risk in a haphazard way, its time to step out from the crowd.
A fully integrated risk management system that is a vital part of the organizational structure is important if a company is to truly come to grips with risk and its impact on a company's bottom line. There are many departments in a company that must handle risk issues, but none of them can effectively manage or mitigate risk if left alone or if not given adequate resources. In essence, managing risk must come from the top, ie from the Board of Directors and Upper Management. Only if the Board demands to know what risk processes are in place and only if the Board demands to know how Upper and Middle Management perceive risk ( which may be different) will the company as a whole focus on risk.
To get the company focused on risk, think about communications. Ask yourself whether or not the company or organization encourages open communication between departments. If not, the odds are that what ever risk mitigation tools and strategies one department or division might have are being effectivley communicated throughout the organization. Check on whether a risk assessment audit has been done. Does the company encourgage risk assessments or does the organization view risk assessments as time consuming and costly. Do departments within an organzation encourage open communications throughout the company or are departments siloed, so communication only goes to the top but is not shared. What about individual departments? how do they handle risk? What are the risk management processes that they follow?
In order for a company to truly enjoy the benefits of risk management, a company must take a fully integrated approach- or ERM approach. How can a company adequately use risk mitigation techniques when it fails to support risk management across departments and divisions? If HR doesnt practice risk mitigation, but the credit department does, or if Legal fails to take a risk management approach to litigation but the risk department does utilize risk management procedures, how can a company truly benefit as a whole.
The key is in integration. Practice risk management in every department. Practice risk mitigation in the Board Room. Stand out from the crowd.